$ AI agent governance, security tooling, and mechanical enforcement.

rigscore v2.1.0

  • #rigscore
  • #security
  • #ai
  • #devtools
  • #open-source
  • #release

Changes: v2.0.0 → v2.1.0

The verifiability campaign previewed in v2.1.0-rc1 ships final, and it lands alongside the largest coverage pass since v1.0.0. rigscore now runs 28 checks — 13 scored plus 15 advisory (the rc1 count was 27; the 28th is the new semantic judge below). No scored weights moved: the Security axis and every published badge are unchanged.

The 28th check: semantic tool-description judge

ChangeWhat it does
Opt-in --semantic judge (semantic-tools)Catches obfuscated MCP tool poisoning — a hidden directive paraphrased into a tool description so the static regex checks never fire. OFF by default and makes zero external calls unless you pass --semantic; then it hands each tool description to your own first-party claude -p (Max-plan CLI — never an API key, never an SDK) to classify benign vs. suspicious. Each description is wrapped in a data-only frame so a poisoned tool cannot hijack the judge, and a missing claude skips gracefully. Advisory (weight 0), enforcement-grade pattern, finding id semantic-tools/suspicious-tool-description.

Coverage — more of your rig is scanned by default

ChangeWhat it does
Directory-form rule sets.cursor/rules/*.mdc, .windsurf/rules/, .clinerules/ (directory form), .github/instructions/*.instructions.md, plus .amazonq/rules/ and .kiro/steering/ are read with no .rigscorerc.json opt-in. A repo governed only by .cursor/rules/*.mdc no longer scores “no governance.”
Nine more AI clientsAmazon Q Developer, Roo Code, Cody, JetBrains Junie, Goose, Warp, Kiro, Qwen Code, and Crush join the registry — their governance, MCP, and credential files are now scanned, rug-pull-pinned, and inventoried like every other client.
Claude Code’s real user storecredential-storage and network-exposure now scan ~/.claude.json (user- and local-scope mcpServers), where plaintext secrets in server env maps were previously invisible.
Broader secret detectionSix more provider token formats (GitHub ghu_/ghs_/ghr_/github_pat_, Google GOCSPX-, legacy OpenAI, Shopify, Databricks), each \b-anchored and length-bounded to keep false positives low.

Transparency & auto-fix

ChangeWhat it does
Enforcement-grade labelsEvery check now carries a [mechanical] / [pattern] / [keyword] tag in the score line and on every SARIF result, so you can see how each point is earned — deterministic config check vs. regex/structural vs. presence detection. Display-only: no scoring, weight, or dependency change.
Non-destructive config-merge enginerigscore init --<pack> --merge (alias --harden) hardens a config that already exists: absent keys are added, arrays union by value, YAML comments and order survive, and any value you already set is kept and reported — never clobbered. Idempotent on a second pass.
More --fix auto-fixesAuto-remediation for the MCP auto-approve bypass (CVE-2025-59536), ANTHROPIC_BASE_URL redirects (CVE-2026-21852), Docker privileged / socket-mount / cap_drop / no-new-privileges, and the coherence undeclared-MCP-server finding — each additive or surgical, idempotent, and never rewriting a corrupt or per-user homedir file.

Verifiability — now final

ChangeWhat it does
Signed releases + provenance + SBOMEvery release ships a Sigstore-backed build-provenance attestation and a CycloneDX SBOM; scripts/verify-release.sh downloads the assets and runs gh attestation verify. See verify rigscore.
Per-finding findingId coverageverify:docs now fails when any literal finding id a built-in check emits is missing from docs/FINDING_IDS.md — the ids consumers pin for SARIF ruleIds, --ignore, and baseline diffs.
Distributionpre-commit.com framework support (- id: rigscore), a GitHub-Marketplace-listable composite action, and config extends for sharing one hardened .rigscorerc.json across repos.

Install

1npx github:Back-Road-Creative/rigscore

No accounts, no telemetry, no network calls by default. MIT licensed.

github.com/Back-Road-Creative/rigscore